v0.2.0 — Cryptographic delegation proof

v1 recorded that an action matched a receipt. v2 adds cryptographic proof the
grant was real: the principal signs the receipt (Ed25519) and the verifier
checks it against a trusted key.

• Signed receipts (Receipt.sign) + agentledger.signing ([crypto] extra)
• Trusted-key verification via KeyProvider / InMemoryKeyProvider
• require_signed policy (graceful default) + per-call scopes checks
• Pluggable agent identity (IdentityProvider; Static + SPIFFE)
• New signature_verified / identity_status on proofs; new violation types
• Backward compatible: v1 unsigned receipts and v1-format logs still verify

What v2 does and does not defend against: docs/threat-model.md.
Full notes: CHANGELOG.md.

The missing audit layer between "token is valid" and "action is recorded."
AgentLedger records tamper-evident action proofs for every MCP tool call and
checks each invocation against an advisory delegation receipt.

AgentLedger records and attributes actions — it does not enforce
authorization by default. A violating call is recorded as a proof and still
runs (opt into blocking with on_violation="raise"). Hash-chaining makes the
log tamper-evident; it does not prove an action was authorized at execution
time by a cryptographically verified identity. See the README security note.

Highlights

• @ledger.record decorator — works on sync and async handlers with zero
  restructuring, safe inside a running asyncio loop. on_violation =
  record (default) / warn / raise.
• Delegation receipts with a frozen, version-tagged signable serialization
  (agentledger.receipt.v1), ready for v2 cryptographic signing without a
  breaking change.
• Hash-chained, append-only JSONL proof log (agentledger.chain.v1); chain head
  restored across process restarts; file-locked concurrent appends.
• Verifier/Verdict, Rich terminal + self-contained HTML reports.
• CLI: init, report, verify (exit 1 on violations), chain
  (exit 1 on tamper).
• Silent, zero-config TraceForge span enrichment when agentrace-llm is present.

Quality

• 29 tests passing; ruff clean; CI across Python 3.10 / 3.11 / 3.12.

Install

bash pip install agentledger-llm # (pending PyPI publish)

Roadmap

• v2 — signed receipts, SPIFFE/SPIRE SVID verification, enforced WIMSE WPT
  validation, scope-level checks.
• v3 — multi-hop delegation chains, mid-chain revocation.

See docs/roadmap.md for full scope and entry/exit criteria.